Posted
by
timothy
on Thursday January 16, 2014 @11:53AM
from the oh-yeah-forgot-to-mention dept.

judgecorp writes "Syed Hussain, already serving time for helping to plot attacks against UK targets, got another four months for refusing to divulge the password of a USB stick the police and GCHQ wanted to examine. The USB was believed to contain data about a suspected fraud unconnected with national security, and Hussain claimed to have forgotten it under stress, He later remembered it and it turned out to be a password he had used on other systems investigated by the police."

It has been obvious for a long time, that when it comes to privacy of the person and their rights when in conflict with the demands of the state and defending these rights in court, that the subject of the court case will be a scumball.

Just because he is scum doesn't mean he doesn't have rights. Someone's grandmother up on similar charges, we could all support defending their rights, unfortunately, they are not the ones likely to end up with those charges in the first place.

There are two scenarios in forcing someone to hand over information on an encrypted disk.1) With no evidence of wrong doing they make you hand over information that's encrypted. There is no court order, because there isn't any evidence. It's like passing through security and they want to view secret documents in your locked briefcase. That's not warranted. It's a violation.

2) Court has evidence against you there is an investigation and they court orders you to hand it over. It's the same as asking for the key to your briefcase because they have a warrant to search it. The only difference is, is that if you don't give them the key they can't smash the lock to open it up. If you don't give them the key and they can't open it up they will throw you in jail for disobeying the court. I see that as nothing different than what has happened here.

Now it has been argued I believe successfully that encrypted data should be treated just personal speech which should be protected by the 5th. Now this wasn't the U.S. so this has no barring on the current case. It's quite interesting to think of how this falls. Is it the same as making someone testify or make a statement or is it more like locked files in a cabinet.

So while the scenario in part 1) isn't debatable the scenario in part 2) is. Was this a violation of freedom it's hard for me to say.

That's not the moral of this story. He was given 4 months because he wasted police time - that was because he actually gave them the password in the end.

If he had continued not to give them the password, even if it were actually true that he had forgotten it, they could have imprisoned him for considerably longer, the current maximum is 10 years, which is more than you get for cutting someone's throat with a smashed beerglass in the pub, and considerably more than the slap on the wrist you get for killing an unarmed civilian if you're a police marksman.

This warped and clearly unfair legislation was brought to you courtesy of this total bastard [wikipedia.org].

FTFY. Maybe he was lying, maybe he really was stressed by, you know, being prosecuted on terrorism charges and having immense pressure put on him by the police. I find it hard to believe that it could be proven beyond reasonable doubt either way.

The password was $ur4ht4ub4h8 - as Bruce Schneider said a few weeks ago - encryption is still on our side. Regardless of the NSA/GCHQ revelations, they cannot break AES yet. That's why the British police resort to section 49 http://www.theregister.co.uk/2014/01/16/password_refusal_earns_terror_suspect_extra_jail_time/

What makes you think they hadn't it all cracked, but just wanted to have him spend more time in jail while they prepare the other stuff they will hit him with ? What if he really had forgotten the password ? Beside he had already given them; why would not they have tried all other passwords they had received ?

Reporting on this provision of RIPA is always wrong, and the Slashdot discussion is even worse.

To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.

This case is no different. The guy was arrested for terror plots, asked to divulge a password but then claimed he didn't know it, the police couldn't prove he did know it so nothing came of it, the guy was jailed anyway under all the other evidence they had.

The police then found it seemed he'd been involved in card fraud. Turns out incriminating evidence of this was on the memory stick and that's why he didn't want the police acting it, because he clearly hoped if he got off with the terrorism charge they'd never find out about the card fraud charge, so he had nothing to lose. Once they had found out about it he hoped for further sentencing leniency over the card fraud for admitting the password and hence helping the police. The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.

So to this day, if you don't know the password, if you pretend you don't know the password, then there's fuck all the police can do to you with this legislation, hence it's not half as bad as people make out.

To date the only people getting done by it are those admitting they know the password and explicitly refusing to hand it over, those who do stupid things like this guy, and for example, more complex scenarios where someone pretends they've lost a password and the police can't cracking, but then they manage to crack, say, weaker encryption such as that used for his desktop login to find his desktop password which they can confirm forensically that he has entered and used since denying knowing his encrypted USB password and if it matches the encrypted USB password they can claim, well, he knew his desktop password, he logged in, and it was the same as his encrypted USB password, and hence beyond reasonable doubt...

Really, it's not the worst law in the world, the police have to hit a pretty high standard of evidence, or the accused has to fuck up and basically admit their own guilt to ever become victim of this. If you genuinely don't know your password, or if you deny knowing it and the police can't prove otherwise, then you're fine. You have to explicitly and provably obstruct a police investigation to get done by this law.

What's crazy is that I have a handful of encrypted USB sticks and even an entire laptop whose passwords I've long since forgotten. It's not like there's anything on them (That I know of, but a year or so ago I was playing with encryption schemes, full disk encryption, volume encryption, hidden containers, etc for shits and giggles), and recently I booted my laptop to discover that I really have no idea what the password was. Now imagine the stormtroopers come banging on my door tomorrow.. I'm in deep dood

To face conviction for failing to disclose a password in the UK the police have to be able to prove beyond reasonable doubt (and that's specifically stated in the legislation itself) that you knew the password at the time.

If that were really the case no-one would ever be convicted of this offence. How can you prove beyond a reasonable doubt that someone remembers something? I forget stuff all the time, especially passwords. Even passwords I was using the day before. In fact especially passwords I was using the day before, if they are new.

The problem for him is by admitting it he gave the police the "beyond reasonable doubt" that they needed all along to do him for failing to disclose the password.

He claims he forgot and then later remembered it. That happens sometimes. I don't see how it proves he never forgot it beyond a reasonable doubt.

To go back to the parent poster and Bruce's declaration:AES, RSA, DSA, SHA256 (SHA-2), Scrypt,... they are all used out there in production for quite some time. They are even used in some quite lucrative sectors.If anyone was actually able to break (as in find a fundamental flaw that helps finding the solution without need to brute force-it) they would be making a killing of money. Thing about hacking e-banking transaction (AES, RSA, DSA), hacking crypto-currencies (DSA, SHA-2, Scrypt, SHA-3), etc. and ear

Sorry, but it's more like they didn't want to bother. The story makes it probable (not quite certain) that they already knew that it was the password to other devices that he had used.

Also, was he a terrorist? Could be. The story says he was serving time for planning attacks on the UK, but that could be fraud as easily as violence. If I were interested enough, I'd look it up, as it is I'm just commenting on the slipshod nature of reporting (which I'm assuming matches the original story without checking)

You'd have to look up details, but even 'planing attacks' doesn't indicate the ability to carry them out. A lot of terrorists in this part of the world turned out to be incompetents who don't know how to make a simple bomb. One lot had their non-functioning car bomb towed away for illegal parking. Being attacked by them isn't terrifying, it's insulting.

Yes and no. I'm neither a security expert nor an expert in intelligence/counter-intelligence. However, if I were to break a crypto scheme, it is paramount that I never reveal that I have broken the crypto scheme. That way, I can continue to intercept and decode your secrets while you believe that your crypto scheme is safely protecting them.

If AES were broken, the last thing that a government entity would want to do was reveal that it is broken. In fact, if AES has been broken, UK law enforcement offic

I'll be in trouble if I'm ever raided -- I have several USB devices and CD-R's that I used in the past to make a backup of something, and have lost or forgotten the passwords.

Forget your CDs, it's your DVD collection you should be worried about. "All I remember is the first part! 09 F9... then the hex code for some shade of red [stewd.io]... I swear!" This is why everyone should have that number handy.

I wonder what the penalty would be for someone that filled a device with random data, and the authorities are convinced that it's encrypted and demand the decryption key.

Up to two years. There are people in jail now who claim this has happened to them, but the jury did not agree. So basically it hinges on if you can convince a jury that you really forgot, or if they think you are lying.

He wasn't jailed for refusing to reveal the password. He was jailed for his part in a bomb attack. Once in prison you can get out early for good behavior and for turning over information. Here he tried to trade this password for time. He claimed he had just remembered it. But they found out it was a password that he had already given them for something else. So they backed out of the deal.

This goes directly against prior decisions by the European Court of Human Rights. There is very clear and unambiguous legal precedent, that a person under criminal investigation need not bear witness against himself. For example. in Marttinen v Finland [ketse.com] the Court interpreted the article 6.1 [wikisource.org] that reads inter alia "In the determination of... any criminal charge against him, everyone is entitled to a fair... hearing... by [a]... tribunal...". The Court wrote in its decision:

The Court reiterates its case-law on the use of coercion to obtain information: although not specifically mentioned in Article 6 of the Convention, the rights relied on by the applicant, the right to silence and the right not to incriminate oneself, are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6

If the defendant is not able to have this sentence overturned in domestic courts, he should hire a lawyer who can bring this case before the European Court of Human Rights ASAP to obtain a decision against the Government of UK. The court will also award compensation for the inhumane treatment of the defendant by the Government, and obligate the government to compensate for the legal expenses.

This goes directly against prior decisions by the European Court of Human Rights. There is very clear and unambiguous legal precedent, that a person under criminal investigation need not bear witness against himself.

This was widely discussed in US decisions, but probably applies to Europe as well. If there is evidence, then giving the prosecution access to that evidence is not "bearing witness against yourself". The case where you _actually_ don't have to reveal a password is if admitting that you know the password would incriminate you. Not what's on the drive, but the fact that you know the password. For example, a man is murdered by being hit by a laptop. In the laptop there's an encrypted drive. If you have the pas

If the police, TSA, government or even my mother want to see what is on data storage I have encrypted then they can sit down and crack it, I have no reason to ever decrypt that drive, if you want inside of it then get inside of it but I'm not going to help, after all I didn't encrypt the drive so you could just freely go in and look around.

Chalk said the USB contained material linking the defendant to an alleged fraud. He added that it was only when investigators told Hussain he was being investigated for fraud that he gave up the password. Investigations into the alleged fraud are ongoing.

The memory stick did not contain any information on potential threats to national security.

Even so the law was brought in intended for dealing with terrorism threats. Although the suspect was involved in terrorism this specific investigation was not. Therefore this is that police power being used in a broader sense than it had been intended. Got no problem with the guy being sentenced for terrorism or for fraud, but the slippery slope of the usage of this power is disturbing.

From TFS: "already serving time for helping to plot attacks against UK targets"

It is irrelevant to consider a past criminal record. This is a new case, and this case is not regarding terrorist activities but a fraud-related charge. This means that case-law is being created: "even in cases where the charges are only fraud-related, a defendant no longer has the right to remain silent in the UK".

And here, ladies and gentlemen, is why the UK has become a Police State: it started with the slippery slope of "protect the children against porn and terrorism", and now two things have happened:

- You no longer have the right to remain silent;
- Everything you do on the web can and will be censored by the Chinese^H^H^H UK Government;

No way that I am ever going to do business with a British entity. Once upon a time they were a symbol of courage and freedom, today they are the symbol of oppression and prime example for China and North Korea.

The british law version of the 5th is somewhat different, and that's borne out in the statement that the police read to you if you are arrested. Instead of simply having the right to remain silent, we "do not have to say anything, but it may harm [our] defence if you do not mention, when questioned, something which you later rely on in court. Anything [we] do say may be given in evidence." The key being that "it may harm your defence if you do not mention, when questioned, something which you later rely o

It's different in one important respect – "it may harm your defence if when questioned you do not mention something which you later rely on in court". In the US, you can simply remain silent, and then pull surprises in the court room. In the UK, if you didn't tell the police when they were investigating, you can't tell the jury either.

It was a pretty obvious reference to the American Founding Fathers (the UK founding fathers would make no sense in this context) and the US Constitution/Bill of Rights. The fact that it's in the UK means that the American Founding Fathers and Constitution is irrelevant to this story.

Yes, we do think those rights should apply outside the US. Mainly because we've thought those were natural (or god-given, depending on preference) rights, not privileges provided by government, since our country's conception.

Yes, we do think those rights should apply outside the US. Mainly because we've thought those were natural (or god-given, depending on preference) rights, not privileges provided by government, since our country's conception.

Actually not quite. The American Constitution is a contract between american citizens (aka The People) of what you promise not to do to each other. The US Government is not conceived of as an independent entity with its own identity but an emergent property of The People consenting to collect their rights together for the benefit of all The People, based on the pooling of their individual sovereignty. 'We The People' refers to American citizens.

Consequently, since people in other countries didn't sign on to The American Constitution, they haven't made any promises to you of which of your rights they wont violate and you have absolutely no expectation of your contract with your fellow Americans being honoured, also you are not bound by the Constitution to respect the rights of foreigners.

There is however an expectation that anything the American Government has promised to do towards foreign nations it will honour, because The People of 1 nation can freely enter into an agreement with The People of another nation, which is why American Treaties actually form part of the law of the land (and it says this in the Constitution). This, for instance, means the US government must honour the UN Universal Declaration of Human Rights inside the borders of any nation that is a signatory to it because the US is a signatory to it.

The bottom line is that the Constitution is a written contract between The People. The US government doesn't claim to be bound to always respect inalienable rights, but only whatever it expressly agreed to respect.

At the very most some foreign government can violate your so called inalienable rights and you could launch a civil lawsuit (or a revolution) against it for being wronged and a US court might agree with you. But nothing in the Bill of Rights claims that all of the rights contained therein are all inalienable rights.

The point is that the U.K. Parliament is sovereign. That is there nothing that prevents Parliament from passing any law, and nothing one Parliament can do that prevents a future Parliament from changing it's mind, with the single proviso that the current monarch is willing to put their signature to whatever piece of legislation Parliament puts before them.

There are basically only two ways out for the U.K. at this point. The first is a full blown revolution which would most likely be extremely unpopular. Re

In 1688 Parliament asserted its power and declared the King to have abdicated and invited William of Orange and his wife the Kings daughter to take the crown. This included a new oath of coronation amongst other things and basically cemented the sovereignty of Parliament. Every sovereign since has been well aware of who actually holds the power since and even in 1708 Anne only declined giving Royal Assent on the advice of her Government. As recently as 1936 Parliament pushed out the King and there is a poss

Prevents, no....but there is nothing that ever prevents such things. The best we can ever hope to do is add hurdles in front of such changes.

Our constitution, for example, what stops congress from declaring it invalid? Nothing really except its own clauses. It is just an agreement. Now that isn't to say they are likely to get away with it. It isn't to say it wouldn't divide the country. In fact, it would do those things...which is the major hurdle to them just "changing their mind".

I think producing the encryption key probably is incriminating in a lot of circumstances, because it proves you had the ability to access the data, and strong evidence of ownership.

If you already admitted to owning and encrypting the data, then I guess it doesn;t matter. But if your defense is that the usb key isn't yours and you don't know the password, then providing the password does kind of screw up your story.

Indeed. As the US government operates outside of its constitutional limits, it can only be considered a criminal organization.

Since it defines what is and isn't criminal it cannot, by definition, be a criminal organization. What it can be is unethical, immoral, corrupt, incompetent, unjust, and moronic... but it can't be illegal. People often confuse the word "criminal" with the concept of the "bad person". Ethics and morality have nothing, absolutely nothing, to do with the law. The law is about order. Ethics and morality is about justice. And our justice system has as much to do with actual justice as the military has to do with "peace" keeping.

In every society in which the rule of law has existed for more than a couple generations, it has been corrupted to prioritize order over justice -- and order is another way of saying "remove malcontents and political undesireables". Principally, in an industrialized society these will be young males under the age of 35 who are unemployed, under-employed, sexually frustrated, mentally ill, not eligible for meat grinder service or otherwise producing wealth for the already-wealthy.

Eventually, the law reaches the point where everyone can be a criminal, that the law itself has become and inaccessible bureauacracy, and every action can be rationalized as legal. That point is now, in the UK, the US, and indeed, most of Europe and much of eastern Asia. Every major empire has a historical record of its citizens complaining about overly dense laws and regulations, from modern times all the way back to the Roman Empire, and fragments of literature suggesting an intractable bureaucracy that appeared to randomly punish people as far back as the Akkadian Empire (for the iPod generation, that's about 2300 BC, or about the time Al Gore invented the internet and Jesus rode around on primitive loldinocats).

My point in all this is, it's not a new problem. Arguably, it isn't even a problem: It is in fact the natural progression of all empires and countries. But have hope: It's a sure sign that the civilization has passed its epoch. Within the next 50-100 years, western civilization will start to deteriorate back to a feudalistic-capitalistic hybrid where destitution, slavery, debtors prisons, and constant warfare again become the norm... and eventually the people will rebel, the world will burn, and out of the ashes a new civilization will rise up, and our grandchildren will enjoy a period of relative peace and prosperity.

The Constitution cannot be amended by act of Congress. It can only be amended by the votes of 3/4 of the individual States.

Congess may PROPOSE Amendments, but the act of proposing such does not guarantee that they'll be enacted.

In addition, a Constitutional Convention may be called by the States to propose Constitutional Amendments. If those Amendments are then ratified by 3/4 of the States, then Congress and the rest of the Federal Government just has to suck it up....

The CNET article fails to mention context, and my understanding of the case law is that it isn't so simple. I can't speak to the specifics of the Colorado case in the CNET article, but I do know that the case of the Sebastien Boucher/CBP, Boucher was compelled to reveal his key based upon more than just reasonable suspicion. In this case, agents had actually seen child pornography on the system, and then shut the system down. The key was flushed from memory upon shutdown, rendering the data inaccessible.

Sure. The UK's most famous Founding Father is a fictional guy who banged his sister, whose wife was banging his best friend, and who was eventually killed by his incest-bastard. Oh, and he pulled a sword out of a stone, too.

He knew the password, the police had probable cause, and he intentionally impeded an investigation. I can't speak to British legal procedure, but in America that'd almost certainly be enough to be charged with obstruction of justice.

We are constitutionally protected against self-incrimination. While you are correct that in America, he'd probably get charged with obstruction of justice, that would just show how far outside its constutional authority the US government operates.

For the fifth amendment to apply, there must be a risk of incriminating oneself. That depends on the specifics of the case:

Chalk said the USB contained material linking the defendant to an alleged fraud. He added that it was only when investigators told Hussain he was being investigated for fraud that he gave up the password. Investigations into the alleged fraud are ongoing.

If this were an American case, the defendant could be charged with obstructing the investigation into someone else's fraud, but the evidence linking him to it would easily be inadmissible. It's been held in federal court that defendants can be compelled to provide unencrypted drive contents to investigators if the police already know the partial contents of the device. While he could pr

"He knew the password, the police had probable cause, and he intentionally impeded an investigation. I can't speak to British legal procedure, but in America that'd almost certainly be enough to be charged with obstruction of justice."

You're wrong about America. The law is far from settled, but in some jurisdictions probable cause is hardly enough to compel a suspect to reveal an encryption password. Actual knowledge of the drive's contents may be necessary to compel a person to decrypt it, as otherwise it

In the USA there is a constitutional right against self incrimination, and the right not to answer questions from the police has been the subject of many movies, both fictional and non-fictional. It's generally considered that "taking the fifth" is a well known act by criminals.

Without doubt it is possible to argue that not answering questions is impeding an investigation and therefore obstructing justice, but it is balanced by a suspect's right to remain silent when questioned by police. Now whether a pe

In the UK, the right to remain silent has been around since the 17th Century. However, it was removed by the Criminal Justice and Public Order Act 1984.

Since the UK doesn't have a written constitution, it's impossible to argue that a law is unconstitutional. The question cannot be taken to the European Court of Human Rights, because the tight to remain silent is not mentioned in the European Convention on Human Rights, although the majority of E.U. countries have laws giving that right.

Further, the Regulation of Investigatory Powers Act 2000 make it a crime not to disclose an encryption key to police when asked.

The question cannot be taken to the European Court of Human Rights, because the tight to remain silent is not mentioned in the European Convention on Human Rights, although the majority of E.U. countries have laws giving that right.

Actually, it can: the ECHR have ruled that:

"Although not specifically mentioned in Article 6 (art. 6) of the Convention, there can be no doubt that the right to remain silent under police questioning and the privilege against self-incrimination are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6 (art. 6) (see the Funke judgment cited above, loc. cit.). By providing the accused with protection against improper compulsion by the authorities these immunities contribute to avoiding miscarriages of justice and to securing the aims of Article 6 (art. 6). "

In other words the European court considers it so fucking obvious it doesn't matter if it's not said. The American consitiution apparently considered it important enough to put down in writing. Sadly our (the UK) government considers it neither important nor obvious.

That ruling was brought against the UK when it was taken to the ECHR for violating the whole "right to silence" thing. Sadly the wankers in power will not get the message.

I would consider it his fifth amendment right not to be forced to self incriminate. It's the prosection's duty to prove his guilt, so make them do their job. I don't care if he's guilty of other charges; he still has the same rights as everyone else.

The legal line in the US is clear. Protection from Self incrimination and warrant-less search and seizures are indeed rights, but that does not extend to hiding or destroying evidence. If they have a warrant to search, you *must* comply to the search or it's obstruction of justice. Just like they can arrest and charge you for obstruction if you attempt to physically prevent a lawful warranted search, they can arrest and charge you with obstruction for refusing to give them passwords. If a Jury will find

In Chadwick v. Janecka (3d Cir. 2002), a U.S. court of appeals held that H. Beatty Chadwick could be held indefinitely under federal law, for his failure to produce US $ 2.5 mill. as state court ordered in a civil trial.

It is irrelevant what the British government or its courts think they can do, since this action is clearly against the legal precedent set by the European Court of Human Rights as a breach of the protections guaranteed under the Article 6 of the European Convention on Human Rights [wikisource.org]. For example, in Marttinen v Finland [ketse.com] the Court wrote:

The Court reiterates its case-law on the use of coercion to obtain information: although not specifically mentioned in Article 6 of the Convention, the rights relied on by the applicant, the right to silence and the right not to incriminate oneself, are generally recognised international standards which lie at the heart of the notion of a fair procedure under Article 6

The British courts should take in consideration the legal precedent on EU level and overturn this sentence, or any competent lawyer will take the defendant's case before the

Even those copies are made with a hardware write-blocker - usually a device that sits in the SATA cable or USB connection, blocking any write request packets.

It could be done, but it'd need to be in hardware - a hardened chip that handled the encryption, with the key stored internally and never revealed. Even then a highly skilled attacker might be able to get it out by monitoring power use or some such trick, but it'd be very difficult.

Yea, right.. How about "Don't do anything wrong" and "if you can't do the time don't do the crime"?

If you depend on encryption to hide evidence, you are a fool on at least two fronts. 1. They will charge you with obstruction for not giving them the key, 2. Why are you keeping incriminating evidence in the first place? Just DON"T keep it laying around, encrypted or not.

IF you insist on doing illegal things, then I suggest you come up with a way to obfuscate that there is evidence of wrong doing even ther